Sunday, April 09, 2006

TcpXtract - AddON

Sunday should be the day to hang out? But I'm still sitting in front of computers after coming back from local PC fair. Reading seems to be my hobby these days especially keeping myself up to date with cyber security requires this kind of attitude, hoping I will stop this type of life when I'm old enough since I don't want brain damage.

Recent msdos executable and portable executable add on to tcpxtract config file works pretty well for me. Then I'm wondering is there a way to extract the elf binary, I decide to run either xxd or hexdump against elf binaries and studying it's header so that I can add it to tcpxtract.conf file. It's not trivial anywhere and this is what I append to the config file.

###############################
# ELF-execute &linking Format
###############################

elf(30000000, \x7F\x45\x4C\x46);

This is another piece I added for

###############################
# NE- new executable(used by windows)
###############################

ne(40000000, \x4D\x5A\x50, \x4E\x45);


For people who really want to understand about elf, this is one of must read -

http://www.cs.ucdavis.edu/~haungs/paper/node10.html

I found it very detail and clean in explaining about elf binary and it even helps me to understand the memgrep output that I have used when collecting hostile data on hacked server where I have it written here previously.

Peace :]

P/S: There are possibilities of generating false positive when extracting files because I haven't tested the signatures intensively.

1 comment:

Anonymous said...

Hi.. Excuse me, i want to add some graphic extensions to tcpxtract, can you tell me how to get the values to add them... I know they are the signature of the extenasion, but i dont know how i get them.. Thxc extensions to tcpxtract, can you tell me how to get the values to add them... I know they are the signature of the extenasion, but i dont know how i get them.. Thx